Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

What is the Defender ATP equivalent to "gpupdate /force" (force an update of policies on a host)

Copper Contributor

Hi there,

  When troubleshooting, how does one tell Windows "Go check with Defender ATP headquarters and update your policy right now?".  I'm looking for the equivalent of gpupdate /force to force a refresh of group policy when on-prem, but for for MDATP.

 

Update (sorry for not zeroing in on this): I'm thinking in terms of indicators - e.g. If I go into Settings, add a File indicator, and set it to Alert and Block.  I would hope that this isn't driven solely by the logs on the back-end because the block would come in awfully late.

 

TIA!

7 Replies
What kind of policies are you talking about?
Client policies are pushed through Intune/MEMCM/GPO and the respective command for these tools should be used.

Otherwise, the MDATP cloud service doesn't push a lot of settings to users

@AnalystGuy If you're setting your Defender ATP configuration with Group Policy (Computer | Policies | Administrative Templates | Windows Components | Windows Components | Microsoft Defender Antivirus) then you've already said the answer, which is gpupdate /target:computer /force. 

 

If you're using Intune, then this page might be of interest: https://oofhours.com/2019/09/28/forcing-an-mdm-sync-from-a-windows-10-client/

My apologies @Thijs Lecomte - perfectly legit question; see my updated post, above 

For indicators, there isn't anyway to force it AFAIK. It periodically checks for new indicators in the MDATP portal, this shouldn't take long.

How long of a delay are you experiencing?

45 mins to an hour on a couple of tests

I think is the expected time for things like this. Know that it's a worldwide cloud service, so delays are to be expected.
You could try to create a case for this but I wouldn't get my hopes up.
Sorry for raising this thread.
Most likely this holds true also when enabling Tamper Protection on MDE tenant? It could take up to a couple of hours before the onboarded endpoints switch into a protected mode, right?